[CERT-daily] Tageszusammenfassung - 19.04.2018

Daily end-of-shift report team at cert.at
Thu Apr 19 18:13:30 CEST 2018


=====================
= End-of-Day report =
=====================

Timeframe:   Mittwoch 18-04-2018 18:00 − Donnerstag 19-04-2018 18:00
Handler:     Alexander Riepl
Co-Handler:  Stephan Richter

=====================
=       News        =
=====================

∗∗∗ Data Firm Left Profiles of 48 Million Users on a Publicly Accessible AWS Server ∗∗∗
---------------------------------------------
LocalBlox, a company that scrapes data from public web profiles, has left the details of over 48 million users on a publicly accessible Amazon Web Services (AWS) S3 bucket, according to an UpGuard security researcher who discovered the data on February 28, this year.
---------------------------------------------
https://www.bleepingcomputer.com/news/security/data-firm-left-profiles-of-48-million-users-on-a-publicly-accessible-aws-server/


∗∗∗ Relieve Stress Paint Tool: Mal-Malware kopiert Facebook-Zugangsdaten ∗∗∗
---------------------------------------------
Eine Malware tarnt sich mit gefälschten Unicode-Domains und sucht gezielt nach Facebook-Zugangsdaten. Nutzern wird hingegen ein Anti-Stress-Malprogramm versprochen. (Malware, Virus)
---------------------------------------------
https://www.golem.de/news/relieve-stress-paint-tool-mal-malware-kopiert-facebook-zugangsdaten-1804-133940-rss.html


∗∗∗ Windows Exploitation Tricks: Exploiting Arbitrary File Writes for Local Elevation of Privilege ∗∗∗
---------------------------------------------
Previously I presented a technique to exploit arbitrary directory creation vulnerabilities on Windows to give you read access to any file on the system. In the upcoming Spring Creators Update (RS4) the abuse of mount points to link to files as I exploited in the previous blog post has been remediated. This is an example of a long term security benefit from detailing how vulnerabilities might be exploited, giving a developer an incentive to find ways of [...]
---------------------------------------------
https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html


∗∗∗ Trustjacking exploit abuses iTunes feature to spy on iOS devices ∗∗∗
---------------------------------------------
Researchers presenting at RSA 2018 on Wednesday disclosed how attackers can gain persistent remote control over iOS devices by abusing a weakness in iTunes Wi-Fi sync, a feature that allows users to sync up iTunes content and data between Apple devices.
---------------------------------------------
https://www.scmagazine.com/trustjacking-exploit-abuses-itunes-feature-to-spy-on-ios-devices/article/759686/


∗∗∗ From Baidu to Google's Open Redirects ∗∗∗
---------------------------------------------
Last week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages. It didn't last long. Soon after the publication of that article, the bad actors changed the links to use compromised third-party sites and a couple of day later they began using Google's goo.gl URL shortening service. This is a snippet from their decoded script: The Redirect Chain If you check Google's own information about that [...]
---------------------------------------------
https://blog.sucuri.net/2018/04/from-baidu-to-googles-open-redirects.html


∗∗∗ Surprise! Wireless brain implants are not secure, and can be hijacked to kill you or steal thoughts ∗∗∗
---------------------------------------------
Science-fiction horror trope now a reality in 2018 Scientists in Belgium have tested the security of a wireless brain implant called a neurostimulator – and found that its unprotected signals can be hacked with off-the-shelf equipment.
---------------------------------------------
http://go.theregister.com/feed/www.theregister.co.uk/2018/04/18/boffins_break_into_brain_implant/


∗∗∗ New paper: Powering the distribution of Tesla stealer with PowerShell and VBA macros ∗∗∗
---------------------------------------------
Since their return four years ago, Office macros have been one of the most common ways to spread malware. Today, we publish a research paper which looks in detail at a campaign in which VBA macros are used to execute PowerShell code, which in turn downloads the Tesla information-stealing trojan.
---------------------------------------------
https://www.virusbulletin.com:443/blog/2018/04/new-paper-powering-distribution-tesla-stealer-powershell-and-vba-macros/


∗∗∗ Microsoft veröffentlicht "Windows Defender" als Chrome-Erweiterung ∗∗∗
---------------------------------------------
Microsoft hat seinen Echtzeitschutz als Chrome-Erweiterung veröffentlicht: Die "Windows Defender Browser Protection" verspricht "besseren Schutz" vor betrügerischen Phishing-Seiten und Malware.
---------------------------------------------
https://heise.de/-4027458


∗∗∗ Sicherheitsupdates: Flash-Datei kann Ciscos WebEx Client kompromittieren ∗∗∗
---------------------------------------------
Cisco hat zahlreiches Patches veröffentlicht und schließt mitunter kritische Sicherheitslücken. Zudem geben sie Tipps, wie Admins Netzwerke absichern sollten.
---------------------------------------------
https://www.heise.de/-4027370


∗∗∗ Gefälschte UPC-Phishingmail im Umlauf ∗∗∗
---------------------------------------------
Kriminelle versenden eine gefälschte UPC-Nachricht. Darin erklären sie, dass das E-Mailkonto von Kund/innen gesperrt worden sei. Damit diese es weiterhin nützen können, sollen sie eine externe Website aufrufen und ihre persönlichen Zugangsdaten bekannt geben. Konsument/innen, die der Aufforderung nachkommen, übermitteln ihr UPC-Passwort an Datendiebe.
---------------------------------------------
https://www.watchlist-internet.at/news/gefaelschte-upc-phishingmail-im-umlauf/



=====================
=  Vulnerabilities  =
=====================

∗∗∗ Drupal core - Moderately critical - Cross Site Scripting - SA-CORE-2018-003 ∗∗∗
---------------------------------------------
Project: Drupal coreDate: 2018-April-18Security risk: Moderately critical 12∕25 AC:Complex/A:User/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross Site ScriptingDescription: CKEditor, a third-party JavaScript library included in Drupal core, has fixed a cross-site scripting (XSS) vulnerability. The vulnerability stemmed from the fact that it was possible to execute XSS inside CKEditor when using the image2 plugin (which Drupal 8 core also uses).
---------------------------------------------
https://www.drupal.org/sa-core-2018-003


∗∗∗ Display Suite - Critical - Cross site scripting (XSS) - SA-CONTRIB-2018-019 ∗∗∗
---------------------------------------------
Project: Display SuiteVersion: 7.x-2.147.x-1.9Date: 2018-April-18Security risk: Critical 17∕25 AC:None/A:None/CI:Some/II:Some/E:Theoretical/TD:DefaultVulnerability: Cross site scripting (XSS)Description: Display Suite allows you to take full control over how your content is displayed using a drag and drop interface. The module doesnt sufficiently validate view modes provided dynamically via URLs leading to a reflected cross site scripting (XSS) attack.
---------------------------------------------
https://www.drupal.org/sa-contrib-2018-019


∗∗∗ PMASA-2018-2 ∗∗∗
---------------------------------------------
CSRF vulnerability allowing arbitrary SQL executionAffected VersionsVersion 4.8.0 is affectedCVE ID(https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188, uCVE-2018-10188)
---------------------------------------------
https://www.phpmyadmin.net/security/PMASA-2018-2/


∗∗∗ Security updates for Thursday ∗∗∗
---------------------------------------------
Security updates have been issued by Debian (opencv and wireshark), Fedora (corosync and pcs), Oracle (firefox, kernel, libvncserver, and libvorbis), Slackware (gd), SUSE (kernel), and Ubuntu (apache2).
---------------------------------------------
https://lwn.net/Articles/752324/


∗∗∗ Cisco WebEx Connect IM Cross-Site Scripting Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-webcon


∗∗∗ Cisco WebEx Clients Remote Code Execution Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-wbs


∗∗∗ Cisco Identity Services Engine Shell Access Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-ise


∗∗∗ Cisco Industrial Ethernet Switches Device Manager Cross-Site Request Forgery Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-iess


∗∗∗ Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client SAML Authentication Session Fixation Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asaanyconnect


∗∗∗ Cisco Adaptive Security Appliance Virtual Private Network SSL Client Certificate Bypass Vulnerability ∗∗∗
---------------------------------------------
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180418-asa1


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in the IBM GSKit component of IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22015077


∗∗∗ IBM Security Bulletin: IBM API Connect is affected by an Apache HTTP Server vulnerability (CVE-2014-0226) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22015233


∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects IBM WebSphere Application Server for IBM Cloud January 2018 CPU ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22015289


∗∗∗ IBM Security Bulletin: Multiple Vulnerabilities in IBM® Java SDK affects Liberty for Java for IBM Cloud January 2018 CPU ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22015290


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Cloud Manager with OpenStack ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=isg3T1027494


∗∗∗ IBM Security Bulletin: OpenSSL Vulnerability affects IBM Spectrum Protect Snapshot (formerly Tivoli Storage FlashCopy Manager) for Unix (CVE-2017-3737) ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22013612


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities affect the GSKit component of IBM Tivoli Monitoring ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22015424


∗∗∗ IBM Security Bulletin: IBM MQ and IBM MQ Appliance are vulnerable to a memory leak in pubsub (CVE-2017-1786) ∗∗∗
---------------------------------------------
http://www-01.ibm.com/support/docview.wss?uid=swg22013023


∗∗∗ IBM Security Bulletin: Vulnerability affects Watson Explorer Analytical Components, Watson Explorer Foundational Components Annotation Administration Console and Watson Content Analytics ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22011118


∗∗∗ IBM Security Bulletin: Multiple vulnerabilities in IBM Jazz Team Server affect IBM Rational products based on IBM Jazz technology ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22015635


∗∗∗ IBM Security Bulletin: Multiple Security Vulnerabilities Impact IBM Predictive Insights ∗∗∗
---------------------------------------------
http://www.ibm.com/support/docview.wss?uid=swg22015539

-- 
CERT.at Daily mailing list
Listinfo: https://lists.cert.at/cgi-bin/mailman/listinfo/daily




More information about the Daily mailing list